Raised This Month: $12 Target: $400
 3% 

smart setinfo _pw pass reset (unauthorized access)


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
mercury
Member
Join Date: Jun 2004
Old 07-21-2006 , 01:36   smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #1

ok, i have an idea about smart reset setinfo _pw on users machines.
you know setinfo _pw "pass" sits in users config.cfg until you clear it manually. so that you can fall a victim of unauthorized access, especially when you are not the only person using your computer.

i'm new to amxx so my code doesn't work. included just to show examples.

i suggest the following:
1. on connect right after client_authorized() we should save all users passwords in array.
2. then clear them from users configs:

Code:
public client_authorized(id) {     if (!is_user_bot(id)) {         //save pass         user_pwds[id] = "his_setinfo_pass"         //clear setinfo         client_cmd(id,"setinfo _pw ^"^"")     }     return PLUGIN_CONTINUE }

3. right after timelimit has run out we should set those setinfos back:

Code:
new players[32], num get_players(players, num) for (new i=0; i<num; i++) {     client_cmd(i,"setinfo _pww ^"%s^"", user_pwds[i]) }

it's all ok in theory but i have no such a knowledges to build this one from the beginning up to the final end. so any advices would be much appreciated. ty.

p.s.: on the whole i think this functionality should be included in amxx by default (maybe as an optional cvar) since it brings in useful security improvement.
__________________
mercury is offline
mercury
Member
Join Date: Jun 2004
Old 07-21-2006 , 01:38   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #2

OMG! move this one here http://forums.alliedmods.net/forumdisplay.php?f=11 pls. sorry. delete this message then please.
__________________
mercury is offline
Freecode
Never Fall Asleep
Join Date: Jan 2004
Old 07-21-2006 , 01:39   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #3

if u want to make it hard to access write some type of encoder or save it into binary file instead of cfg.
Freecode is offline
mercury
Member
Join Date: Jun 2004
Old 07-21-2006 , 01:46   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #4

Freecode, yeah, but anyone knowing the principles still can get your config easily. with the scheme stated above we can prevent unauthorized access at all.
__________________
mercury is offline
Freecode
Never Fall Asleep
Join Date: Jan 2004
Old 07-21-2006 , 01:55   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #5

using your method wont work. You still gotta save it somewhere while the user isnt playing. If you want something really hard core you would md5 the password ;]
Freecode is offline
mercury
Member
Join Date: Jun 2004
Old 07-21-2006 , 02:10   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #6

Quote:
using your method wont work. You still gotta save it somewhere while the user isnt playing.
why? when the user isnt playing we shouldn't save anything at all. if he has disconnected, on retry he will have to enter the password again, and that is not the problem since if you are disconnecting probably you decided to leave. (anyway you can still re-enter pass if you've changed the mind)

Freecode, could you please move this topic to the appropriate forum, or should i create there a new one (and trash this one)
__________________
mercury is offline
mercury
Member
Join Date: Jun 2004
Old 07-21-2006 , 02:17   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #7

md5 hash still sits in user's config, so anyone can steal it from there and use it yourself. the purpose of this plugin is to clear any tracks of user password from config file and in the same time to allow proceed to the next map without any kicks or password prompt as we know if the user is connected > he is authorized to do that (have entered password to enter), and we can safely set back his pass in his console.
__________________
mercury is offline
Freecode
Never Fall Asleep
Join Date: Jan 2004
Old 07-21-2006 , 03:56   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #8

Ok. so you remove his password from the config files. Then when he disconnects what do you do with the password? You write it back to the config?
Freecode is offline
mercury
Member
Join Date: Jun 2004
Old 07-21-2006 , 04:34   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #9

Freecode, when he disconnects we do nothing. setinfo _pw still nulled (we cleared it on client_authorized) so no-one can steal our pass.
__________________
mercury is offline
Freecode
Never Fall Asleep
Join Date: Jan 2004
Old 07-21-2006 , 16:58   Re: smart setinfo _pw pass reset (unauthorized access)
Reply With Quote #10

And what happens when a server goes off for some reason, or even crashes? Or even changes map when that user is not in the server?
Freecode is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 18:22.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode